curtisi

Probably wise, yeah. I'm not sure what would be preventing it unless some communication from the manager to the agent is being blocked.

You have to add a sub-group (the green box) and then it's in the top-right corner.

What version of the Reports console was used to create the custom report? What version of LEM was the custom report designed to run against?

I notice that the rule includes an AnyAlert.ToolAlias. Since all the other correlation fields are ServiceWarning, why not set this to ServiceWarning.ToolAlias? The AnyAlert would cause a lot of memory utilization and might be causing false positives on the rule.

I think with the Agents, the more realistic scenario is multiple LEMs, and then connecting to those LEMs via the console. The console would let you monitor and build rules, groups and users on any connected LEM.

You can do it that way, or use the FIM connectors on the Agent.

But where does that madness end? "We wanted to know when the agent stopped and restart it. So we made the Agent Supervisor. Then people wanted to know if the Supervisor had stopped, so we made the Agent Supervisor Supervisor. Then people wanted to know if..." Pretty soon, the Agent and the Agent Supervisor Supervisor…

Ready to dive into the LEM techronomicon? Here we go... The LEM generates new partitions as event data comes in, and drops old partitions as the disk fills up. The frequency of this creation is based partially on size and partially on event count. If you want to see all the partitions, you can run the Database Maintenance…

No, the LEM gets the node names from what it sees in the logs and those aren't customizable in the LEM interface.

That rule looks like it'd work. Are you seeing the events in LEM (look at the "General Change Management" filter)? What source accounts are being logged? Also, can you check the time on the LEM? If you SSH into the LEM, go to APPLIANCE, run DATECONFIG and then press ENTER without entering any information 4 times. Is the…

Change the fields you're using to TCPTrafficAudit.SourceMachine and TCPTrafficAudit.DestinationMachine. Remove the solo "TCPTrafficAudit." In the "ACTION" part of the rule (the orange box) make sure that all fields refer to TCPTrafficAudit._________.

The connector should know that is what happens, and move to the next log. Can you try it for science?

I wouldn't recommend it, as it's way too easy to break the connectors. If you need a connector adjusted, contact support.

Assuming that "SpecialClients" is a User Defined Group with a list of hostnames (complete with the necessary wildcards), and that you want an alert when someone tries to log IN to a SpecialClient and not when someone tries to remotely log into another system FROM a SpecialClient, you need to use…

Under build rules, have you clicked the Activate Rules button since disabling your rule?

I guess the questions to answer are "How much data do you generate in a day?" and "How many days do you need to keep?" You might consider multiple LEMs monitoring different segments of the network, which at least allows you to "divide and conquer" the devices you need to monitor.

I guess this is part of the argument for good, consistent host naming conventions, then. I'm not aware of a setting that would force the LEM to prefer one over the other, but I'll ask around. Update: I've spoken to my colleagues and a couple of the devs, and it doesn't look like there's a way to tell the LEM to always…

I ran the tests, it doesn't look like any existing tool will match this log, so you'd need to put in a feature request.

I'm digging deep into the LEM Techronomicon for this, but it appears that right now the LEM does not run an NTP daemon. It syncs with the VM host or NTP source on boot, and then maintains it's own time. I'll have to confirm with the devs to make sure I'm understanding that right. In the meantime, rebooting the appliance…

Agents have a one-to-one relationship with Managers, there's no feature to have a single Agent send to multiple LEM appliances.

The error you're providing is coming from Windows, so I'm still pretty sure it's either the path or permissions or a bad password. You probably ought to open a ticket with support so we can have a GoToMeeting to look at this.

Assuming it has all the relevant machines in it, sure. :-)

It's left to the Agent's discretion. Personally, I tried to vary methods, so I might e-mail twice and leave a voicemail once. Even if the ticket was closed, there's an automatic alert (outside control of the Support person) that sends a message about the ticket being closed and there's a customer satisfaction survey (or…

That probably needs to be a feature request.

Possibly, but not in the provided Reports console, that'd be more something for hooking Crystal Reports to LEM and modifying things there.

You got this solved, but maybe the next person will benefit. I did a walk-through of resolving this problem on YouTube. https://www.youtube.com/watch?v=9Naf1sG3WuQ

Yeah, that's a limit of Windows, I'm afraid. Even FIM will get flooded with the attribute and property "reads" because Windows makes no distinction between actually opening a file and just getting properties on the file.

No problem!

Silly question: have you run an install or update with YUM on those systems? There are current logs since the LEM Agent started reading for YUM activity?

Cool, I see the event and have sent it up the chain.